[
https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart closed WW-4815.
-----------------------------
> Migrating Struts 2.3.16.3 to 2.3.32
> -----------------------------------
>
> Key: WW-4815
> URL: https://issues.apache.org/jira/browse/WW-4815
> Project: Struts 2
> Issue Type: Task
> Components: Core
> Affects Versions: 2.3.16.3
> Reporter: Deborah White
> Fix For: 2.3.32
>
>
> I need some assistance and am hoping you can provide some insight. I know
> this is probably not the place to do this, but I'm not finding answers
> elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.
> The problem is that the excluded classes in the struts-default.xml are being
> used by my application and I certainly do not have time to do a rewrite.
> This is the Warning I get and then my application does not run as it should
> because it seems it is not forwarding the roles:
> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target
> [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of
> member [public boolean
> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
> are excluded!
> I need to know how I can safely modify the struts-default.xml and still have
> the fix for the vulnerability. Also, if there is something I can instead
> include in my struts.xml file that would override, that would be better.
> Thank you.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
